Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Thursday, June 17, 2010

Tune It Like a Fiddle

Whens the last time you did a comprehensive review of your IDS for further filtering? If you haven't done it in a while, you might be shocked at the false positive creep. New partner circuits get added, new app servers, maybe your company is using a a totally new app? Which brings up another point. Not only do you need to review what needs filtered, you may need to review what needs UNFILTERED as well. If your company wasn't using Citrix, for example, the last time you did a review, you may have all those signatures disabled to optimize the performance of your sensors and reduce overhead. If you work for a smaller company, and those decisions are left to your discretion, as opposed to a group that regularly reviews policy, you'll need to keep awareness of what platforms and apps your company uses on a regular basis. Doing regular ports scans should alert you to new services opened up, and using the OS scan switch can help determine if if there are new platforms you need signatures for.And don't just do this for your external addresses. As they say, most networks are a Tootsie-Pop. Hard on the outside with a soft chewy center. If an attacker pops a perimeter box, he now has a pivot point to attack further in, depending on how in-depth your defenses and detectors are layered. That's why it's important not to put all your eggs in one basket with just perimeter sensors.You need sensors in front of your most vital assets, like database servers, HR and payroll boxes and anything with confidential info stored on it. That way, if the attacker eludes your perimeter defenses, you have another opportunity to detect (and stop) her. HIDS, and log files are your last line of defense. All that good log data is worth anything unless you have a process in place to parse, and alert on it.Review those signatures.. not only can you cut down a lot of white noise, you might find out you didn't know what you were missing.